carloscastilla - Fotolia

Tricks to a bulletproof Amazon VPC setup

Security concerns continue to slow public cloud deployments. How can we set up Amazon VPC to help protect our cloud workloads?

While security remains a barrier to enterprise cloud adoption, tools such as Amazon Virtual Private Cloud give IT teams more control and security capabilities in public cloud.

AWS emphasized the importance of its Virtual Private Cloud (VPC) when it changed default settings so that new Elastic Compute Cloud instance launch inside VPCs. While default VPC configurations help create more secure cloud deployments, enterprises must still design a solid Amazon VPC setup strategy.

Cloud admins must design an overall VPC network that won't grow organically. Incorporate the following best practices and lessons when planning an Amazon VPC setup:

  • Aggressively use tags for instances, networks and other resources to simplify resource management, billing and network policy definition.
  • Design VPC subnets and address space up front so that you don't run out of addresses. Make sure to save room for expansion, but never overlap IP ranges.
  • Create separate networks for different application tiers, business units with unique security requirements as well as test and development versus production.
    • Hosts may need different routing policies. For example, some hosts only communicate internal to internal, while others connect internal to external internet.
    • Application tiers that are distributed across several availability zones (AZs) or applications many have different security requirements that require customized access control lists.
  • Design for security. Use private networks that aren't routable to the internet for external access. Only use public IPs for systems that require external users to access them; all other users should access through Network Address Translation.
    • Use a default-deny security policy, which blocks access for all IPs/ports unless needed.
    • Use AWS Identity and Access Management for access control policies to tightly control access to VPC management.

AWS Professional Services also offers several rules of thumb for Amazon VPC setup. Evenly divide address space across as many AZs as possible. And determine which types of routing are necessary as well as the relative number of hosts.

It's also helpful to create identically sized subnets in each AZ for each routing requirement during Amazon VPC setup. Give subnets the same route table and leave unallocated space available in case you need more.

Next Steps

Increase security through Amazon VPC best practices

How can a move from EC2 to VPC benefit IT?

Simplify the setup and maintenance of Amazon VPC

Dig Deeper on AWS security